|

AZ-104 Lab Guide: Optimize and Secure Azure VMs with Resizing, Policy Compliance, and Bastion

ByTechieGeek

Azure Lab: Getting the Most Out of a VM (Sizing, Updates, Policy, Bastion)

This lab builds on your deployed VM and focuses on the day-2 operations that keep Azure VMs secure, compliant, and cost-effective over time.

Lab Objectives

By the end, you will be able to:

  • Resize a VM safely (vertical scaling) and understand scale sets (horizontal scaling)
  • Understand maintenance impact using availability sets, update domains, and fault domains
  • Review and interpret Azure Policy compliance for VMs
  • Replace public RDP/SSH exposure with Azure Bastion
  • Apply simple cost controls and shutdown discipline

Prerequisites

  • A running Azure VM (Ubuntu or Windows)
  • Contributor permissions on the resource group
  • Optional: Bastion requires a VNet with a dedicated subnet named AzureBastionSubnet

Part 1: Resize the VM (Vertical Scaling)

Step 1: Check Current VM Size

  1. Azure Portal โ†’ Virtual machines
  2. Select your VM
  3. Go to Size

โœ… Checkpoint: You can see the current SKU (example: Standard_DS1_v2).

Step 2: Resize the VM

  1. On Size, select a different SKU (choose something slightly larger or smaller)
  2. Click Resize
  3. If prompted, stop the VM first:
    • VM โ†’ Stop
    • Wait until status = Stopped (deallocated)
    • Retry Resize
  4. Start the VM again

What you learned

  • Scale up = more CPU/RAM
  • Scale down = less CPU/RAM and lower cost

โœ… Checkpoint: VM runs successfully after resizing.

Part 2: Understand Scaling Strategies

Step 3: Know When to Scale Out (Horizontal Scaling)

You scale out when:

  • You need more capacity and redundancy
  • You want to distribute traffic across multiple VMs

Azure feature used

  • Virtual Machine Scale Set (VMSS)

โœ… Checkpoint: You can explain the difference:

  • Vertical = resize one VM
  • Horizontal = add/remove VMs (usually via VMSS)

Part 3: Maintenance and Updates (Availability Sets, Update Domains)

Step 4: Understand Availability Set Mechanics (Concept Lab)

Availability sets help Azure avoid taking down all your VMs at once during:

  • planned maintenance
  • host updates
  • certain fault events

Key terms

  • Update domain: Azure updates/reboots one update domain at a time
  • Fault domain: VMs separated across hardware groups to reduce shared failure risk

Why it matters

If you run a single VM and it goes down for maintenance, your app goes down.
If you run multiple VMs across update/fault domains, you reduce outage risk.

โœ… Checkpoint: You can describe update vs fault domains in one sentence each.

Part 4: Azure Policy for VMs (Governance Lab)

Step 5: Check VM Compliance

  1. Open your VM
  2. Go to Policies (or Azure Policy in the portal and scope to the RG/subscription)
  3. Review assigned policies and compliance status

Examples of common VM policies

  • Allowed VM images only
  • Require managed disks
  • Allowed regions only
  • Require encryption at rest (managed by default)
  • Require tags (Owner, CostCenter, Environment)

โœ… Checkpoint: You can identify why something is noncompliant and where to remediate it.

Part 5: Secure Access with Azure Bastion (Best Practice Lab)

Step 6: Why Bastion

Bastion allows you to connect to VMs using the Azure network without exposing:

  • RDP (3389)
  • SSH (22)
    to the public internet.

This significantly reduces attack surface.

Step 7: Deploy Bastion (High-Level Steps)

  1. Azure Portal โ†’ Search Bastions
  2. Click + Create
  3. Select:
    • Subscription
    • Resource group
    • Region (same as VNet/VM)
    • Virtual network (your VM VNet)

Requirement

Your VNet must have a subnet named exactly:

  • AzureBastionSubnet
    with sufficient address space.

โœ… Checkpoint: Bastion deploys successfully.

Step 8: Connect to VM Using Bastion

  1. VM โ†’ Connect
  2. Choose Bastion
  3. Enter credentials (Windows) or SSH details (Linux)
  4. Connect in-browser

Practical note

File copy is more limited than native RDP. Use OneDrive/Blob storage when needed.

โœ… Checkpoint: You can connect to the VM without using the public IP.

Part 6: Cost Optimization (Real Savings)

Step 9: Enable Auto-Shutdown (If Non-Production)

  1. VM โ†’ Auto-shutdown
  2. Enable and set time (example: 7:00 PM)
  3. Save

โœ… Checkpoint: Auto-shutdown scheduled.

Step 10: Understand Spot and Reserved Instances (Decision Knowledge)

  • Spot: Cheap, interruptible, great for dev/test and batch jobs
  • Reserved instances: Discount for 1โ€“3 year commitment

โœ… Checkpoint: You can choose Spot vs Reserved based on workload type.

Lab Cleanup

If this is a lab environment:

  • Delete the resource group to remove all resources and stop charges:
    • Resource group โ†’ Delete resource group

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *